Tuesday, November 26, 2013

Auditing thousands of remote desktops


Recently inspired by the rash of  'internet surveys'(scanning entire portions of the 'net), I decided to do sort of the same but on a smaller scale. I hate being left out.
One of the Nova Hacker guys (Mubix maybe?) did an internet scan of port 3389 with zmap and reported the results. I have used zmap, and while it is a very intimidating utility, it typically hoses my network at home, even when throttling it way down. I decided to use something less lethal, so my kid could still use his xbox, while I sampled away.
Using 'masscan' instead of zmap, I decided to scan a rather random /8 for open remote desktops.
Throttling the packet rate down to something manageable, I then ran up against how to actually audit the desktops once found.
After discovering the first thousand out of the eventually discovered 5000 or so open desktop ports, I realized that some elegance was needed to manage all this data.
The most common way to view a remote desktop within linux or BSD variants is to use rdesktop.
Stacking the IP adresses into a flatfile, it was a simple matter to iterate through the desktops with a shell loop:
for IP in `cat port3389.list`
rdesktop $IP

But, this was still unseemly, for I would still have to view a thousand desktops manually.
Luckily, I remembered that X11 had the answer for me. Every time a new window spawns within X11, it is mapped with a title and a position within the root window. If I could easily extrapolate the newly spawned window name, I could simply query X for the window and capture a screenshot of it with the 'xwd' utility, and redisplay it with the 'xwud' utility. This required installation of X11-apps within the Kali Linux distro:
'apt-get install x11-apps'
 Now I could spawn a remote desktop, capture the image and view it later at my leisure:

for IP in `cat port3389.list`
rdesktop $IP; sleep 1;

xwd -out /tmp/dumps/$IP.desktop-display -name " rdesktop - $IP " && pkill rdesktop
The sleep 1 is to ensure the window has a chance to render completely before the cap takes place.

That script will drop thousands of caps in your dump directory, if you are lucky. So run it overnight unattended, if so inclined.
Now to view the caps, run another loop like so:
for cap in `ls /tmp/dumps`
xwud $cap

This will require intervention, namely your mouse. because xwud closes the displayed window after a detected mouseclick.

The next post will discuss my findings. Please note, I have not found a single truly open and unlocked desktop yet, which flies in the face of all the guys flapping their arms around and laughing at the open things they find, but some very interesting things have still been found though.
an additional note: don't do it.



Post a Comment

<< Home